Vulnerability Assessment vs Penetration Test. Whats the difference?
A vulnerability assessment and penetration test are both effective at helping an organisation reduce its available attack surface. However, each exercise is unique in their own way.
A vulnerability assessment typically covers a vast amount of endpoints using mainly automated tools and techniques. This approach is useful at detecting known vulnerabilities, checking whether hardening settings have been applied and discovering open services.
A penetration test goes a step further. During a penetration test, a qualified security professional will also conduct manual testing alongside using automated tools and techniques. Within a penetration test, the consultant will often attempt to "chain" or combine vulnerabilities together in order to elevate its overall impact and demonstrate exactly how an adversary would do it.
Should my organisation conduct Penetration Testing?
Cyber attacks are increasingly more common in this day and age. If you utilise IT systems within your business, then penetration testing should be conducted regularly. Penetration testing can provide assurance that you are taking the necessary precautions to protect your business. By regularly conducting penetration tests, it allows you to keep abreast of any risks, along with the impact and likelihood of whether it would occur.
How does the scoping process work?
Scoping is the term coined to the process of gathering information about a Penetration Test, before a formal sales quotation is issued to a client. During scoping, we want to know as much information as possible. We want to know things like:
- Details about the assets your organisation would like subjected to penetration testing.
- What systems do they interact with, should they be in scope?
- What are your budgetary requirements?
- How critical are these assets to your business operations?
- What perspective would you like the testing performed from? e.g. from the internet, from a compromised standard user or from a compromised administrative user etc.
Essentially, we want your organisation to get the best value possible for your money. Therefore, we ensure that this phase is the very thorough, leaving no stone unturned.
We are worried about disruption to our business, how can you address that?
Adversify will not intentionally cause disruption to networks, systems and applications during a Penetration test. Our default approach is to follow non-destructive testing methods and we do not actively test for Denial of Service vulnerabilities. Furthermore, we can put additional fail safes in place, such as setting a designated out of hours testing window, running the penetration test against a pre-prod environment instead of live and tuning down any automated tools as necessary.